1. Field of the Invention
The invention relates to methods for distributing data packets of communication connections to nodes in network element clusters and to network element clusters, where such methods are applied. Especially, the invention is related to such a method as specified in the preamble of the independent method claim.
2. Description of Related Art
The public networks are presently being used more and more for sensitive and mission critical communications and the internal networks of various organisations and enterprises are nowadays connected to the public networks, Internet being one of them. Since the basic mechanisms of the public networks were originally not designed with secrecy and confidentiality in mind, public networks are untrusted networks. To protect an internal network, a special network element is usually used to connect the internal network to a public network. Typically such network element monitors the connections traversing the network element and possibly modifies the data packets of the connections according to predetermined rules. Methods such as network address translation (NAT) and protocol conversions are methods requiring that the data packets are modified in such network elements. Also other modifications on the data packets traversing the network element may be performed. This kind of network element is often called a security gateway or a firewall.
To ensure sufficient capacity of a firewall or a server, it is common to construct them as clusters of typically identical network elements. The identical or similar network elements forming a cluster are usually called nodes. FIG. 1 illustrates two examples of network element clusters. A security gateway or a firewall connecting a network 13 to a second network 10 is a cluster 14 of network elements 15a, 15b and 15c. As a comparison, network 11 is connected to the network 10 using single network element 12. A second example is a server cluster 17 having server nodes 18a, 18b and 18c. As a comparison, a server 16 is also presented in FIG. 1.
A cluster of network elements such as servers or firewalls includes typically a plurality of similar nodes. The nodes have a common network address, hereafter called a cluster network address, and connections are typically directed to the cluster by means of this cluster network address. Additionally, the nodes may have node-specific network addresses. In a cluster, where nodes have a common cluster network address, all nodes see all data packets arriving at the cluster and there has to be an arrangement for distinguishing which data packets belong to which node. That is, each node should process only those packets that are assigned to it and ignore other data packets. Therefore the data packets arriving at the cluster need to be distributed to different nodes of the cluster. Typically distributing is done so that every node filters all arriving data packets and decides for example on the basis of the plaintext header field(s) of the packet whether that particular node needs to process that particular packet.
Connections directed to a cluster of network elements are directed to different nodes of the cluster on the basis of predefined distribution criteria. An example of distribution criteria is use of hash functions: node-specific sets of hash values are allocated to the nodes and a hash value for a data packet is calculated using a predetermined hash function and certain header fields of the data packet. Typically the header fields that are used for calculating hash values for TCP/IP (Transfer Control Protocol/Internet Protocol) or for UDP/IP (User Datagram Protocol/Internet Protocol) are source address, source port, destination address and destination port.
When a data packet directed to the cluster network address arrives at the cluster, a hash value is calculated on the basis of some header fields of the data packet, and the resulting hash value defines which node processes the data packet. Typically, all nodes filter all arriving data packets by calculating hash values for them, and then decide on the basis of the hash values the data packets which belong to them. Also some other method than calculating hash may be used for distributing data packets.
Consider, as an example, server cluster 17 having two nodes 18a and 18b and the following situation, where distribution decision are made using a hash function. The employed range of hash values is, for example, A–F. Hash values A, B and C are allocated to node 18a and hash values D, E and F are allocated to node 18b. Connections are directed to the nodes 18a and 18b on the basis of hash values calculated for incoming packets.
For ensuring reliable operation it is typically required that all data packets of one connection, for example TCP connection, are handled by the same node. Otherwise the connection may fail. The header fields used in calculating hash values for data packets are selected so that data packets of a packet data connection have same header field values. Every data packet of one connection has same source address, source port, destination address and destination port, and therefore these header fields are often used. All data packets of a certain packet data connection result in hash value C, for example, and a data packet resulting in hash value C are always directed to node 18a. 
Problems arise, if the hash values need to be reallocated dynamically within the nodes of the cluster 17, for example because a new node 18c is added to the cluster 17. Other reasons for reallocating the hash values may be for example load balancing or a node starting a procedure to go offline. Consider the above mentioned connection with hash value C handled in the node 18a. If node 18c is added to the cluster 17 and hash values are reallocated so that hash values A and B belong to the node 18a, hash values C and D belong to the node 18b and respectively hash values E and F belong to die node 18c, the hash value C does not belong to the node 18a anymore. Thus data packets of the connection, which is used here as an example, are not directed to the node 18a anymore, and the connection fails.
Clustering functionality is typically implemented by means of separate clustering module, which is typically software running in the same device (computer) with the application to be clustered. Clustering module and the application to be clustered are running on top of some operating system (OS). FIG. 2 illustrates the server cluster 17 in more detail. The gateway or firewall cluster 14 may be implemented in a similar manner. In the server cluster 17, each node 18 comprises operating system 20 and the clustered application 22. The operating system may be divided into lower level and higher level portions 20a and 20b. For example, the higher level may include IP, TCP and UDP functionality and the lower level may include network interface. Furthermore, the nodes may include a firewall component 23. The clustered application may be, for example, WWW- or WAP-server application. Typically these programs 20 and 22 are similar in each node 18, and the clustered application 22 does not need be aware of the clustering; the application 22 runs independently in each node. The clustering software 21 is responsible for distributing the arriving data packets to the clustered application in the correct node.